linux/security/apparmor/include/context.h
<<
>>
Prefs 
   1/*
   2 * AppArmor security module
   3 *
   4 * This file contains AppArmor contexts used to associate "labels" to objects.
   5 *
   6 * Copyright (C) 1998-2008 Novell/SUSE
   7 * Copyright 2009-2010 Canonical Ltd.
   8 *
   9 * This program is free software; you can redistribute it and/or
  10 * modify it under the terms of the GNU General Public License as
  11 * published by the Free Software Foundation, version 2 of the
  12 * License.
  13 */
  14
  15#ifndef __AA_CONTEXT_H
  16#define __AA_CONTEXT_H
  17
  18#include <linux/cred.h>
  19#include <linux/slab.h>
  20#include <linux/sched.h>
  21
  22#include "policy.h"
  23
  24/* struct aa_file_cxt - the AppArmor context the file was opened in
  25 * @perms: the permission the file was opened with
  26 *
  27 * The file_cxt could currently be directly stored in file->f_security
  28 * as the profile reference is now stored in the f_cred.  However the
  29 * cxt struct will expand in the future so we keep the struct.
  30 */
  31struct aa_file_cxt {
  32        u16 allow;
  33};
  34
  35/**
  36 * aa_alloc_file_context - allocate file_cxt
  37 * @gfp: gfp flags for allocation
  38 *
  39 * Returns: file_cxt or NULL on failure
  40 */
  41static inline struct aa_file_cxt *aa_alloc_file_context(gfp_t gfp)
  42{
  43        return kzalloc(sizeof(struct aa_file_cxt), gfp);
  44}
  45
  46/**
  47 * aa_free_file_context - free a file_cxt
  48 * @cxt: file_cxt to free  (MAYBE_NULL)
  49 */
  50static inline void aa_free_file_context(struct aa_file_cxt *cxt)
  51{
  52        if (cxt)
  53                kzfree(cxt);
  54}
  55
  56/**
  57 * struct aa_task_cxt - primary label for confined tasks
  58 * @profile: the current profile   (NOT NULL)
  59 * @exec: profile to transition to on next exec  (MAYBE NULL)
  60 * @previous: profile the task may return to     (MAYBE NULL)
  61 * @token: magic value the task must know for returning to @previous_profile
  62 *
  63 * Contains the task's current profile (which could change due to
  64 * change_hat).  Plus the hat_magic needed during change_hat.
  65 *
  66 * TODO: make so a task can be confined by a stack of contexts
  67 */
  68struct aa_task_cxt {
  69        struct aa_profile *profile;
  70        struct aa_profile *onexec;
  71        struct aa_profile *previous;
  72        u64 token;
  73};
  74
  75struct aa_task_cxt *aa_alloc_task_context(gfp_t flags);
  76void aa_free_task_context(struct aa_task_cxt *cxt);
  77void aa_dup_task_context(struct aa_task_cxt *new,
  78                         const struct aa_task_cxt *old);
  79int aa_replace_current_profile(struct aa_profile *profile);
  80int aa_set_current_onexec(struct aa_profile *profile);
  81int aa_set_current_hat(struct aa_profile *profile, u64 token);
  82int aa_restore_previous_profile(u64 cookie);
  83
  84/**
  85 * __aa_task_is_confined - determine if @task has any confinement
  86 * @task: task to check confinement of  (NOT NULL)
  87 *
  88 * If @task != current needs to be called in RCU safe critical section
  89 */
  90static inline bool __aa_task_is_confined(struct task_struct *task)
  91{
  92        struct aa_task_cxt *cxt = __task_cred(task)->security;
  93
  94        BUG_ON(!cxt || !cxt->profile);
  95        if (unconfined(aa_newest_version(cxt->profile)))
  96                return 0;
  97
  98        return 1;
  99}
 100
 101/**
 102 * aa_cred_profile - obtain cred's profiles
 103 * @cred: cred to obtain profiles from  (NOT NULL)
 104 *
 105 * Returns: confining profile
 106 *
 107 * does NOT increment reference count
 108 */
 109static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
 110{
 111        struct aa_task_cxt *cxt = cred->security;
 112        BUG_ON(!cxt || !cxt->profile);
 113        return aa_newest_version(cxt->profile);
 114}
 115
 116/**
 117 * __aa_current_profile - find the current tasks confining profile
 118 *
 119 * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
 120 *
 121 * This fn will not update the tasks cred to the most up to date version
 122 * of the profile so it is safe to call when inside of locks.
 123 */
 124static inline struct aa_profile *__aa_current_profile(void)
 125{
 126        return aa_cred_profile(current_cred());
 127}
 128
 129/**
 130 * aa_current_profile - find the current tasks confining profile and do updates
 131 *
 132 * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
 133 *
 134 * This fn will update the tasks cred structure if the profile has been
 135 * replaced.  Not safe to call inside locks
 136 */
 137static inline struct aa_profile *aa_current_profile(void)
 138{
 139        const struct aa_task_cxt *cxt = current_cred()->security;
 140        struct aa_profile *profile;
 141        BUG_ON(!cxt || !cxt->profile);
 142
 143        profile = aa_newest_version(cxt->profile);
 144        /*
 145         * Whether or not replacement succeeds, use newest profile so
 146         * there is no need to update it after replacement.
 147         */
 148        if (unlikely((cxt->profile != profile)))
 149                aa_replace_current_profile(profile);
 150
 151        return profile;
 152}
 153
 154#endif /* __AA_CONTEXT_H */
 155
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.